Summary: Microsoft SharePoint Foundation 2010 can use the authentication providers that are provided by Windows Server 2008 to authenticate users. For example, Microsoft SharePoint Foundation can use forms-based authentication or Web single sign-on.

When using the Kerberos version 5 authentication protocol, the service account that is used by the Internet Information Services (IIS) application pool for your Web application must be registered in Active Directory Domain Services (AD DS) as an SPN on the domain on which the front end Web server is a member.

Symptoms: This event appears in the event log: Event ID: 6590 Description: The application pool account has insufficient permissions to add user accounts to Active Directory. When using Kerberos authentication, the service account used by the Internet Information Services (IIS) application pool for your Web application must be registered in Active Directory as a Service Principal Name (SPN) on the domain on which the Web front-end is a member.

Cause: One or more of the following might be the cause:

If using Kerberos v5 authentication, the Web application pool account is not a registered security provider name.

If using either forms-based authentication or Web single sign-on, the authentication provider could not be loaded because no membership provider name was specified.

The Web application pool must be restarted for changes to be saved.

Note

You must be a member of the Farm Administrators SharePoint group to perform the following action.

Resolution: Determine which authentication type the site is using

On the SharePoint Central Administration Web site, on the Quick Launch click Security and in the General Security section click Specify Authentication Providers.

On the Authentication Providers page, click the zone for the site from the list.

On the Edit Authentication page, the authentication type is displayed in the IIS Authentication Settings section.

Resolution: Register the application pool account as an SPN

The Web application pool account is not a registered security provider name (SPN). Contact a domain administrator and make sure that the service account that is used by the application pool is the registered SPN for all domains listed with the Web application.

Note

You must be a member of the Farm Administrators SharePoint group to perform the following tasks.

Resolution: Specify membership provider name and a role manager

On the Central Administration page, on the Quick Launch click Security and in the General Security section click Specify authentication providers.

On the Authentication Providers page, select the zone for which you want to change authentication settings.

On the Edit Authentication page, in the Authentication Type section select either the Forms or Web single sign-on authentication option. Windows authentication is selected by default.

Click Save.

In the Membership Provider Name section, type the name in the Membership provider name text box.

In the Role Manager Name section, type the name in the Role manager name text box.

Click Save.

Resolution: Edit authentication settings for a zone

On the Central Administration page, on the Quick Launch click Security, and in the General Security section click Specify authentication providers.

On the Authentication Providers page, select the zone for which you want to change authentication settings.

On the Edit Authentication page, in the Authentication Type section select the authentication option. Windows authentication is selected by default.

In the IIS Authentication Settings section, select the setting. Integrated Windows authentication — NTLM is selected by default. If you select Negotiate (Kerberos) you must perform additional steps to configure authentication.